Thank you for the replies,
@vanegi, @BrianKasingli Adding the path to the list of URLs that do not require authentication certainly worked, however it feels like a bit of a workaround. Is there no other way? What has changed in v6.4.8.1? Also I am not sure how I would add a request header from an HTML form.
@ChitraMadan I don't think this is related to the Apache Sling Referrer Filter, the host that makes the POST request has already been added to the Allowed Hosts. I also tried ticking Allow Empty and removing POST from the filter methods but still got the 403.
@kunal23 The granite.csrf.standalone clientlib has already been included on the page, but not inside the iframe. However, I am not sure this issue is related to the CSRF protection, as the servlet path has already been included in the Excluded Paths section of the Adobe Granite CSRF Filter config. I also tried removing POST from the filter methods but still got the 403.
Your help would be much appreciated, thank you.